© 2017 ForgeRock. All rights reserved.
GDPR Is Coming In Hot: Top Burning Questions Answered To Help You Keep Your Cool
Eve Maler @xmlgrrlVP Innovation & Emerging Technology, ForgeRock
Sean Doherty @SeanD0hertyAnalyst, Workforce Productivity &
Compliance Channel, 451 Research
July 25, 2017
© 2017 ForgeRock. All rights reserved.
Eve Maler @xmlgrrlVP Innovation & Emerging Technology, ForgeRock
Sean Doherty @SeanD0hertyAnalyst, Workforce Productivity &
Compliance Channel, 451 Research
451 Research is an information technology research & advisory companyFoundedin2000
300+employees,includingover100analysts
1,000+clients:Technology&Serviceproviders,corporateadvisory,finance,professionalservices,andITdecisionmakers
50,000+seniorITprofessionalsinourresearchcommunity
Over52milliondatapointseachquarter
4,500+reportspublishedeachyearcovering2,000+innovativetechnology&serviceproviders
451ResearchanditssistercompanyUptimeInstitutecomprisethetwodivisionsofThe451Group
HeadquarteredinNewYorkCitywithofficesinLondon,Boston,SanFrancisco,WashingtonD.C.,Mexico,CostaRica,Brazil,Spain,U.A.E.,Russia,Taiwan,Singapore,andMalaysia
Research&Data
AdvisoryServices
Events
GDPR: when and where?• EffectiveandenforcedonMay25,2018,replacingthe1998DataProtectionDirective(95/46/EC).
• TheregulationrequiresmembercountriestofollowandenforcetheGDPRwithoutpassinglocallegislation.
• Theregulationappliesto:1. TheprocessingofpersonaldatafromtheactivitiesofanestablishmentofacontrollerorprocessorintheEU;
or2. AcontrollerorprocessornotestablishedintheEU,wherepersonaldatacollectionandprocessingisrelatedto
theofferingofgoodsorservicestodatasubjectsintheEUortheprocessingmonitorsdatasubjectsbehaviorintheEU.
GDPR definitionsPersonaldatameansanyinformationrelatingtoanidentifiablenaturalperson(datasubject),i.e.,onethatcanbeidentified,directlyorindirectly,fromaname,identificationnumber,locationdata,onlineidentifierorotherfactorsspecifictophysical,genetic,economic,orsocialidentityofthedatasubject.Art.4(1).
Processing meansanyoperationperformedonpersonaldata,suchascollection,recording,organizing,andstoring.Art.4(2).
Acontroller isapersonororganizationthatdeterminesthepurposesandmeansofprocessingpersonaldata.Art.4(7).
Aprocessor isapersonororganizationthatprocessespersonaldataonbehalfofacontroller.Art.4(8).
5
GDPR effect: not a butterfly but a beeViolationsoftheGDPRcancostupto€20minfinesorupto4%ofacontroller’sorprocessor’spreviousyear’sworldwiderevenue.
Requiresdatacontrollersandprocessorstohireadataprotectionofficerforregularandsystematicmonitoringofdatasubjectsonalargescale.
Mandatorydatabreachnotificationstodatasubjectswithin72hoursofthebreach.
GivesEUresidentsmorecontroloftheirpersonaldata• Prohibitdataprocessingbeyonditsspecifiedpurpose.• Therighttocorrect(rectify)anddelete(erasure)orbeforgotten.• Withdrawconsenttodataprocessing.
DatasubjectsandnonprofitorganizationsonbehalfofdatasubjectscanbringactionsdirectlyagainstdatacontrollersandprocessorsforGDPRviolations.
6
© Teguh Mujiono
© 2017 ForgeRock. All rights reserved.
The EU General Data Protection Regulation: It’s different this time
• Firm deadline, big penalties, high aspirations…and viral
• “Data protection” encompasses a wide variety of data transparency and data control requirements
© 2017 ForgeRock. All rights reserved.https://www.flickr.com/photos/adpowers/16808090/|CCBY2.0
Take steps
Identify intersectionsbetween digital transformation opportunities and user trust risks
Conceive of personal data as a joint asset
Lean in to consent
Take advantage of identity and access management for building trust
© 2017 ForgeRock. All rights reserved.
We asked what you wanted to know –and you let us have it
https://www.flickr.com/photos/infomastern/11459954985/|CCBY-SA2.0
© 2017 ForgeRock. All rights reserved.
My company interacts with end-users directly and holds user account data. When sending such data from Australia to, say, the US, what regulation applies:
Australia, US, EU...?
Q1
© 2017 ForgeRock. All rights reserved.
Does GDPR require that I store data about my customers in the country it
was collected in?
How does it work in the ForgeRock Identity Platform to store identity profile data within a specific region?
Q3b
Q3a
© 2017 ForgeRock. All rights reserved.
The ForgeRock Identity Platform
DIRECTORY SERVICES
ACCESS MANAGEMENT IDENTITY MANAGEMENT IDENTITY GATEWAYCOMMON SERVICES
IDM IG
DS
AM
Authentication Authorization Provisioning Reconciliation Authentication OIDC/OAuth
Federation
Adaptive Risk Stateless & Stateful
UMA Provider Mobile App
User Self Service Workflow Engine
Registration Single View of Customer
Synchronization Password Management
Password Replay SAML
Token Transformation
UMA Protector
API Security Throttling
Common Scripting
Common Audit/Logging
Common User Interface
Common REST APILDAPv3
Replication
REST/JSON
Access Control
Schema Management
Caching
Auditing
Monitoring
Groups
Password Policy
AD Pass Through
Reporting
CS
© 2017 ForgeRock. All rights reserved.
Data sovereignty and fractional replication
Global User Profile(has all user attributes)
• Contains subsetof complete user profile
• Fractionalreplication within each jurisdiction
© 2017 ForgeRock. All rights reserved.
If a US employee of my organization uses a VPN connection back to the home office while in another
office that’s located in the EU, what regulation applies: US, EU…?
Q4
© 2017 ForgeRock. All rights reserved.
What do data encryption techniques have to do with GDPR?
How does it work in the ForgeRock Identity Platform to encrypt and protect identity attributes?
Q5b
Q5a
© 2017 ForgeRock. All rights reserved.
DIRECTORY SERVICES
Many layers of protection for personal data
ACCESS MANAGEMENT IDENTITY MANAGEMENT IDENTITY GATEWAYCOMMON SERVICES
IDM IG
DS
AM
CS
• On-disk encryption of data and indexes• Access controls to prevent unauthorized users from reading data• Encrypted backups
• Tamper-proofed audit logging, depending on the “sink” chosen
• Logging only of the user identifier, not of profile content
• Token proof of possession available to ensure the bearer is the rightful owner
• Signing and encryption for JWTs, id_tokens, SAML assertions, UserInfo responses
• Contextual authorization
• Encryption of credentials and profile attributes
• Encryption or hashing of data during synchronization
• Contextual authorization• Message header
encryption
© 2017 ForgeRock. All rights reserved.
If my organization has shared end-user data with a third party, and our end-user asks for it to be deleted,
whose responsibility is it to delete it?
Q7
© 2017 ForgeRock. All rights reserved.
When does GDPR say I have to go back to an end-user and ask for their
consent to process their data again after collecting it a first time?
When is it possible to ask for an end-user’s consent using the ForgeRock Identity Platform?
Q8b
Q8a
© 2017 ForgeRock. All rights reserved.
Moments of consent
Registration time Authentication time Access approval (asynchronous)
© 2017 ForgeRock. All rights reserved.
I’ve heard my organization will have to change all of our consent collection
practices because of GDPR – is that true?
What consent lifecycle management capabilities does the ForgeRock Identity Platform have?
Q9b
Q9a
© 2017 ForgeRock. All rights reserved.
Single view of the consumer
Giving the consumer a single view of their consents
Giving the consumer control over their consents
● Lifecycle management of a user profile and their data sharing preferences
● Secure storage of profile data
● Anonymized syncing of profile data and connector-based integration to third-party systems
● Terms of service and privacy policy capture
● Social sign-in● Social registration● Social consent
management
● Interoperable, user-driven, proactive and reactive sharing flows
The holistic view of consent lifecycle management
© 2017 ForgeRock. All rights reserved.
Patient selectively sharing IoT health data with doctors and other caregivers with User-Managed Access (UMA)
Patient view Doctor view
© 2017 ForgeRock. All rights reserved.
Granular consented access by accountant to bank customer’s account data and transactions
25
© 2017 ForgeRock. All rights reserved.
What does GDPR say about parental consent, and what is the age of
majority?
What are the capabilities of the ForgeRock Identity Platform regarding parental consent?
Q10b
Q10a
© 2017 ForgeRock. All rights reserved.
Typical parent/child account relationship and capabilitiesParent/Guardian Account
• Can self-register• Can create and
manage age-constrained accounts
• Full schema and permissions
• Access approval options, e.g. through UMA constrained delegation
Child Account
• Not allowed to self-register
• Jurisdictionally defined age-constrained account
• Limited schema and permissions
© 2017 ForgeRock. All rights reserved.
We’d like to show you what we’ve got
cooking
https://www.flickr.com/photos/carree/2502801336/|CCBY-ND2.0
© 2017 ForgeRock. All rights reserved.
Profile and Privacy Management Dashboard: It’s all about self-service for…• The right to be informed• The right of access• The right to rectification• The right to erasure• The right to restrict processing• The right to data portability• The right to object• Convenient and centralized data
protection, transparency, and control
demo
© 2017 ForgeRock. All rights reserved.
Thank You!Questions?Eve Maler
VP Innovation & Emerging Technology, ForgeRock@xmlgrrl
Sean DohertyAnalyst, Workforce
Productivity & Compliance Channel, 451 Research
@SeanD0herty